CVE-2024-9060 identifies a stored Cross-Site Scripting (XSS) vulnerability in the grandplugins AVIF & SVG Uploader plugin for WordPress, specifically version 1.1.0. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where SVG files uploaded by authenticated users with Author-level access or higher are not sufficiently sanitized or escaped. This flaw allows attackers to embed arbitrary JavaScript payloads within SVG files, which are then stored on the server. When any user accesses a page containing the malicious SVG, the embedded script executes in their browser context, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability requires authentication at the Author level, which limits exploitation to users with some level of trust or access, but does not require further user interaction beyond viewing the malicious content. The CVSS 3.1 score of 6.4 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with no availability impact. No patches or known exploits are currently documented, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing multiple authors or contributors. The root cause is insufficient input validation and output encoding of SVG uploads, a common vector for stored XSS attacks in web applications handling user-generated content.

The primary impact of CVE-2024-9060 is the potential compromise of user confidentiality and integrity on WordPress sites using the affected plugin. Attackers with Author-level access can inject malicious scripts that execute in the browsers of any user viewing the SVG files, including administrators and site visitors. This can lead to session hijacking, theft of sensitive cookies or credentials, unauthorized actions performed on behalf of users, and defacement or manipulation of site content. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations with multi-author WordPress environments or those that allow user-generated content uploads are at higher risk. The requirement for authenticated access reduces the risk from external anonymous attackers but raises concerns about insider threats or compromised accounts. The vulnerability could be leveraged as a foothold for further attacks within the network or to pivot to other systems. Given WordPress's widespread use globally, the threat has broad potential impact, especially for sites relying on this specific plugin version without mitigations.

To mitigate CVE-2024-9060, organizations should first update the grandplugins AVIF & SVG Uploader plugin to a patched version once available. In the absence of an official patch, administrators should restrict upload permissions strictly to trusted users and consider disabling SVG uploads entirely if not required. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious SVG payloads can provide interim protection. Additionally, applying strict Content Security Policy (CSP) headers can help prevent execution of injected scripts. Regularly auditing user roles and permissions to minimize the number of users with Author-level or higher access reduces the attack surface. Monitoring logs for unusual upload activity and scanning uploaded SVG files for embedded scripts can also help detect exploitation attempts. Finally, educating site administrators and users about the risks of uploading untrusted SVG content and maintaining a robust incident response plan will enhance overall security posture.